What is clickjacking? Clickjacking is when someone maliciously manipulates a website user's activity by hiding hyperlinks beneath legitimate buttons or other content. This can cause the user to take unintended action, putting their information at risk. For example, if you display your donation form on a Facebook page hosted in an iFrame, a malicious person could mock your form in their own iFrame and hijack the constituent's information when entered into their form.
Why is it a concern? If your organization displays Luminate Online pages within a frame or iframe, it's possible that hacker could abuse those frame pages.
What do I need to do? Any site that uses a Luminate Online-hosted page in a frame needs to be whitelisted in the SEC_CSP_FRAME_ANCESTORS_DOMAINS SDP. If you utilize frames to pull content from LO into LCMS, you will also need to whitelist your CMS domain.
How does the SDP work? The use of xFrames is meant to be for https > https and http > http. This means that putting secure donation forms on non-secure pages outside of Luminate Online will still leave you open to clickjacking. Here is how the SDP whitelisting works:
- HTTPS framing HTTPS - supported out of the box
- HTTPS framing HTTP - will not work, and browser will give the following error: Mixed Content: The page at 'https://yourdomain.com’ was loaded over HTTPS, but requested an insecure resource ‘http://yourdomain.com’. This request has been blocked; the content must be served over HTTPS.
- HTTP framing HTTP - supported out of the box
- HTTP framing HTTPS - against PCI compliance
How do I whitelist my site domains that use Luminate Online-hosted pages in an iframe? Note: When this site setting is blank and has not been used before, the initial character limitation is 255 characters. If you need to whitelist domains in excess of 255 characters, please enter at least 30 characters in the text field and Save. This will raise the limit to 1000 characters.
- Select Setup > Site Options
- Click Go
- Search for the SEC_CSP_FRAME_ANCESTORS_DOMAINS option
- Enter a space-separated list of any site domain that uses Luminate Online-hosted pages in a frame. These domains will be able to embed content from this site. We have already whitelisted the following domains:
- convio.net Luminate site